About this Show

Tonight From Washington

News/Business. News.

NETWORK

DURATION
03:00:01

RATING

SCANNED IN
San Francisco, CA, USA

SOURCE
Comcast Cable

TUNER
Channel 91 (627 MHz)

VIDEO CODEC
mpeg2video

AUDIO CODEC
ac3

PIXEL WIDTH
704

PIXEL HEIGHT
480

TOPIC FREQUENCY

Fbi 21, U.s. 21, Washington 17, United States 11, Dhs 9, Venezuela 9, Nasa 8, Russia 7, Nsa 6, Fema 5, The Nation 4, Dmitri 4, Lieberman 4, Sandy 3, Napolitano 3, Obama 3, Steven Bucci 3, Nationstate 3, Pentagon 3, Cyberspace 3,
Borrow a DVD
of this show
  CSPAN    Tonight From Washington    News/Business. News.  

    October 31, 2012
    8:00 - 11:00pm EDT  

8:00pm
[inaudible conversations] ..
8:01pm
but then they were wiped out by the spanish. we've completely left the story of the textbook. the most famous woman in america was captive by indians in 1695 bup in new hampshire and in the middle of the night she killed her captor a bounty for indian scalps she went back and made her way back where she was a hero when and the first statue to an american woman with a hatchet in one hand just
8:02pm
appalled, says the federal government is doing all that can to help restore power to the areas affected by hurricane sandy. a 45 minute speech at a cybersecurity summit she also said she hoped the senate would consider cybersecurity legislation after the election. >> it's a perfect morning to talk about scary things, scary things with unpleasant names like mel where and computer worms and trojan horses and even little messages when you get in your in box because you're nothing but headaches and loss. if you don't like the idea of people snooping around your in box or personal e-mail. you care about a company that
8:03pm
stirs up electronically and worries about competitive theft over the internet and a few flaws and recently to the director of the cia painted a dire picture of day-to-day cybercrime and the foreign enemies if we don't show ourselves up can inflict enormous damage to the power grid water system and critical infrastructure. we would worry about plans and bombs and not worry about good intentions and acting skills. people care and increasingly so and so this morning "the washington post" has convened a stellar group of cyber experts to highlight the issue. the vulnerability is out there with a whole game of talking about stronger defense. let me welcome now a person steeped in cyber, a member of president obama's gemmer circle, psychiatry homeland security janet napolitano. [applause]
8:04pm
she's going to give a few remarks of the podium and then we are going to sit down for discussion and welcome your questions as well. and along with running americas homeland security department come and the whole range of responsibilities from terrorism to natural disasters, and i just always loved to mention this that before coming to washington, she of course was the governor of arizona. she chaired the national governors' association, and she was the very first female valedictorian at the university before she got her doctorate. i love that. miss napolitano. >> good morning everybody. i thought i would do is give you a little update on the storm in part because as mentioned, disaster response is one of the key elements of the department of homeland security. fema as part of dhs and as you
8:05pm
will see in my comment, there is an analogy to cyber and cybersecurity that i want to be able to draw for you. but we all know that sandy seems like an innocuous name for a very strong storm that is still going on. so, now we are looking at flooding on lake erie, possibly lake michigan, secondary flooding downstream as the rivers filled with the remnants of sandy and the water has to go somewhere. we are looking at and centralizing and our hearts are going out literally millions of our fellow citizens who have lost lives. they've suffered injuries. they've lost their property. some of them have lost everything they own. they have been forced from their homes in the temporary shelters. our number one priority right now remains keeping people out of harm's way.
8:06pm
ironically that is sometimes more difficult in the aftermath of the storm than before hand because people want to get back in, they want to get their business back up and running and get back in their home and see what the damage was. but given all of the infrastructure issues, particularly with respect to the downed power lines, it's still not safe until someone tells you it is safe to go back into an area that has been evacuated. before the storm of local officials get out and they tell you to get out we have to reiterate the message please, stay out until it is safe to go back. president obama has obviously cancel all of his campaign even as of the last few days to direct response efforts to the storm. before it actually made landfall this is something that we developed over the last few
8:07pm
years with fema pre-positioning equipment and food and water and other things that are likely to be necessary. repositioning personnel so that as the storm queers' and it is safe to go back and we can move very quickly. we are now in the recovery mode. we are moving large amounts of areas into the affected areas and will be probably if not the most extensive and extensive but one of the most in the nation's history, so we are asking everyone to work with us. we are working closely with the governors and mayors and i also pleased that they are on top of things and focusing on what it's going to take to get their communities and their states' back. the governor affected by the
8:08pm
storm have been particularly apt and working with communities and coordinating local response. so, patience is going to be the watchword of the day. we cannot wave a magic wands and get power back on. the companies did prepossession and equipment that the storm has to clear and the water has to go down. in many places tiberi has to be removed before power repairs can take place. it is a domino effect and unfortunately, that takes time and requires patience. we are moving heaven and earth. we will continue to move heaven and earth to get things done as quickly as possible. so, work with us. patience, i know it's so hard when you're out of your home and out of your environment. you have no power, you may have no phones. we all understand and
8:09pm
sympathize. we want to make sure that you can return and return safely and that we are working swiftly to rebuild communities. now, you are going to ask me what does that have to do with cybersecurity? a couple of things. we know that cyber extends into every aspect of everyday life. but just think of this. as mentioned, the nation is under attack constantly on cyber. it is an area that i've seen grow in sophistication and in almost four years i've been secretary. the secretary panetta at the dod sounded the alarm, and i do as well. one of the possible areas of attack of course is a tax on the nation's control systems. the control systems that operate
8:10pm
our utilities, water plants, pipelines, financial institutions. and if you think that a control system attack that takes down a utility even for a few hours is not serious, just look at what is happening now that mother nature has taken of those utilities. the cascading effect for immediate and serious and can be life-threatening. so, the urgency, the immediacy of the cyber problem, the cyber attacks that we are undergoing and continue to undergo cannot be underestimated. we have a number of examples you've read about them in the past years. we have seen more like all traditional crime. i used to be prosecutor so traditional crime, theft, fraud, unfortunately child exploitation, child abuse.
8:11pm
we have seen those on anticipated by the internet. we've seen that is a significant intellectual property intrusion into significant contractors united states. we've seen control systems small water plants in texas. we have and are undergoing a tax on some of the largest financial institutions in the united states today. and i think while it is impossible to put a hard number on what these cost, there was a study last year morgan had said $114 billion annually, along with the time to repair the victim's loss and the like so that raises it to almost 400 billion annually and i think that is a very conservative estimate. i must say given what crosses our desk at the dhs.
8:12pm
let me explain what the rule is. we are responsible for securing the unclassified federal civilian government that works. we are responsible for coordinating with the owners and operators of the nation's critical infrastructure to secure their networks and respond when they have been attacked, and we do have a significant role in fighting cybercrime zandt conducting investigations in that area primarily with the secret service and i.c.e., hsi both of which report to the dhs. we share actionable cyber threat information with public and private sector partners. we help them identify facilities before an incident occurs. we provide forensic assistance and response and recovery after a cyberattack. we manage the national
8:13pm
cybersecurity communications and integration center, the nccic it's called. it coordinates activities across the federal government with private sector partners in the critical infrastructure arena. we are responsible for coordinating the national response to a significant cyber incidents and creating and maintaining a common operational picture for cyberspace across the government. in this way, and now i will give you the comparison, we look and act like a cyber fema whereby resources tall levels are coordinated and deployed, can be deployed nationally with the dhs serving as the hub of a very large wheel. we regularly host exercises,
8:14pm
gauging responses to realistic that tax, and we put the national cyber response plans to continue testing. let me just pause for a moment. i noticed that this group is doing an exercise this morning. i didn't see the dhs among the exercise participants. but if this were really an exercise and you were dealing with a scenario, if you would have the dhs, you would have the fbi, you would have the nsa, the three key players where domestic incidents are concerned. so, as we move forward, and i hope this program continues just a suggestion for future years we have to do more. we have to do more. we have gone for about 5 miles an hour to 85 miles an hour at the dhs in the last three or so years.
8:15pm
we need to be at 120 miles per hour. and i would say that across the federal government. so this is an issue that we are suddenly engaged in and the president is heavily engaged and he's demonstrated that by putting money into cyber at dhs. we have increased our work force about 600% over the last few years. he's consistently asked for double-digit increases in the cyber budget, and even this year we don't have a budget yet but if there were a budget, we would have a significant increase evin above fy 12 where we had a significant increase over fy 11. so the president is putting resources where the need is the greatest. we need to work with the private sector, and this is an interesting and serious issue because of the way that the politics have played out but we need to improve real-time
8:16pm
information sharing. we need to promote adoption of better practices on cybersecurity for the nation's core critical infrastructure. much of the core critical infrastructure does a very good job, but in an interconnected world if there is a weak link that creates a vulnerability that can be exploited to all so that is why we talk about the need for standards and best practices where critical infrastructure is concerned. we need to ensure that we, the government can share information at various levels of classification to help the private sector help itself. real-time information sharing, so very key and we need greater information sharing so that we can learn from the private sector people fight attacks every day. why does this matter?
8:17pm
because when we learn about something days or weeks after an attack, we can't help mitigate and there's other critical infrastructure that probably needs to be warm or at least put on alert and we need to be able to work on the forensics, so holding on to all of that which occurs all the time is something that really in peace our efforts at securing critical cyber networks for the country. for decades i have to say government and private sector have been able to work together where security is concerned and we need to follow that pattern here. we need to work together. many of you come from the private sector and the general was right in his opening remarks. security isn't something that shows up on your return on
8:18pm
investment. security is something that just comes out of your cost but it is a cost of doing business and has to be recognized as such, and we have to be able to recognize that those dollars really matter. so if you are in an area that represents the critical infrastructure of the country, there is a private and public responsibility for security. that is what we are encouraging. that's what the legislation and the president supported this past spring was intended to do to improve information sharing and to develop and require best practices among the nation's core critical infrastructure. we've testified during after hearing after hearing and we have presented over 100 briefings at the senate, one in the house but this was an area where even though it involved
8:19pm
security we couldn't find a bipartisan agreement by and large. we are committed to continuing to work for legislation to the above update and streamline the existing authorities we had. we want to work with the congress on this but the fact of the matter is if the congress cannot act than other options need to be pursued. the matter is simply too serious. secretary leon panetta has said and by saying it now on the security side. we have to step up the game. that's for the private sector, the public sector, the interest is involved in the security of the nation is involved. let's get to the discussion. let's get to the exercise but let's make sure you leave today with a sense of the seriousness and the urgency of the threats that we face. thank you very much. [applause]
8:20pm
>> which one do you want me on? [laughter] >> let's talk about more specifics following what you said about how we step up the game. what is the biggest need? >> as i said one is real-time information sharing and number two is the exercise of cybersecurity best practices in the nation's core critical infrastructure uniformly, not just at the sadr ackley -- al-ad ackley . >> there's a huge bank and if they are not doing something voluntarily come and get it if they go down it hurts the nation as a whole. what if they don't do it voluntarily what does the government to? >> well, what does the market
8:21pm
due? what is the response? when there is a cyber incident and there are major damages to consumers or members of the public what is the cost to that entity. the costs are going to be shared by all of the people in that sector the ones that have been doing a good job versus the ones proceeding mauney steve gup classic free ride issues all the way through this and it's one of the reasons why the legislation makes so much sense because then you can get to the sense of national uniformity where the infrastructure is concerned and that is what we think is uniformity. >> of legislation makes so much sense, where is it? >> it's kind of stock. stuck in the senate right now. there is a house bill but it doesn't cover a lot of the
8:22pm
things it needs to cover. there is a bipartisan bill in the senate supported by senator lieberman and collins, rockefeller, feinstein are the main sponsors. i think that failed on a cloture vote earlier this year. i think there may be another agenda that during the lamb dhaka. whether there is one of probably depends on the outcome on tuesday. >> simply that out. if president obama is reelected. >> when he is reelected -- [laughter] i think the president shares our concern about this and this very up to speed on the elements and the different types of attacks that we are experiencing. i think that he will have to consider an executive order that
8:23pm
covers many of the areas legislation could cover, but it's not a complete substitute for legislation. there are some things that only legislation can provide. saddam for example, companies -- you see what would incentivize the company to voluntarily pay this. one can be liability protection if any event were to happen but they had been deployed in what was construed as best practices. that kind of liability protection can only be conferred by statute. so that's the kind of thing that we have to leave to congress. here's another one. this is just personal to our department, but we are in the midst of hiring. and if any of you out there want to participate in a national security mission or work with us and see somebody that's hear from the dhs after the program
8:24pm
we need cybersecurity folks, we need analysts, i.t. specialists, people who are familiar with the code and coding. the whole panoply. one of the problems that we have is that we are a government agency so we have to follow the rules on that. with the legislation can do for us is what the nsa has and that is an exception on pay and some of the normal rules apply in hiring and the make it more competitive for us to be in this highly competitive field that can only be done by legislation. >> what are you paying over there? >> i will have that discussion with people that are interested. [laughter] we don't of signing bonuses unfortunately. we are not the nba. but i will say look, if you want to be in an area where the
8:25pm
mission is absolutely key, where it is fast developing where you can be on the ground floor of something in the of major significance to the public interest and use skills that you have developed in cyber unit to come with us because that is exactly what we are doing every day. >> you were saying thousands of jobs. >> i've actually identified now at least 600 key positions that we are actively recruiting for but in d-nd would be more than that. >> are you getting headway in this group that you are trying to put together? >> we have increased as i said, 600% over the last few years. we have brought the car got some great fabulous people in the cyber area and fabulous people tracked fabulous people because they're having fun. the dealing with some difficult problems. we work very closely allied to make sure i point this out we are working closely with the fbi
8:26pm
and we work closely with the nsa. we have restrictions on what the nsa facilities and capabilities and we can use in the domestic arena. and we have to be very conscious of civil liberties and privacy concerns. it's a big, big deal. and succumb to the extent as we work with the nsa, our privacy office at the department has been directly involved in fact i see a former chief officer in the audience who could perhaps talk about that later but we are constantly looking at making sure we are using that incredible technical capacity in the right way >> this has been such a key issue with the private sector picking up people. is it working? >> yes, we just created and announced last week the secretary honors program you can go to dhs.gov to get information
8:27pm
we spoke to 50 people selected on the competitive basis and some of those are going to be in the cybersecurity arena and that is added to the internships, the bishops and grants and the centers of excellence that we are supporting at the nation's universities and colleges because some of the skill sets that we need really involve curriculum so we are all over the place in this area. >> the first was 1969, right? so we hear that now even in kindergarten they are telling kids to be more pass are protected and more wary. do you see what of the sloppiness and human areas to kind of get late in the game? de you see the this is a particularly vulnerable period and things will get better and the so-called human factor that is causing so many virtues will get narrow cracks
8:28pm
>> i think -- look, in the interconnected world that we have everybody is a link so anybody that is on line as a potential avenue. it is a public education issue. it's like in the 1960's the seat belt campaign they didn't use to make cars with seat belts. there was a big issue. nobody's .1 to put on a seat belt and they began to buckle up for safety. now if we ever really think of getting in the vehicle without putting on your seat belt is just a reflex. you do it. it would be great and a great bowl for us to have that same kind of action and reflex capability where cyber is concerned. >> so what is the symbol --
8:29pm
>> we have a campaign called think connect, which is designed to mask people before the download and e-mail from a source they've never seen before, for example, they really think what could that be, and protect themselves. and there's a whole host of things individuals can do. again we have them posted on the website commands to a number of entities across the country in terms of what individuals can do they are trying to push down to younger people. you mentioned kindergarteners. yes as they grow up this is just a part of their life. they don't see the computer as something between them and life. it is life, it's fully integrated since they were to. so they're reflective actions are going to be very different than some of us older folks.
8:30pm
so we just want to keep sending that same message. >> i understanding you don't use e-mail. is that true? >> that is true. >> and that is so that nobody can hack into the homeland security e-mail? >> yes and it is also a time saver. you're most precious asset is your time, and i just personally had made of the decision that i don't want to be scrolling all the time so how do i get formation? i did a number of ways. people around me get e-mails, and i certainly get past what is important for me to see. >> do you think most people in this room should -- >> i think you would agree with me really. come on. how many people to talk to that say it's been about an hour were
8:31pm
going through my e-mail as opposed to how much is really substantive and needed for your work or family or communication. but again, it is a personal choice, and i am not here to preach any lessons about personal choice. that is up to the people, and i know in my family i am certainly in outfly year where this is concerned, but i do believe that anybody that does use the internet has to have a recognition of what that means. you are now on an interconnected world, and you are a source of opportunity where knowledge and information can flow, but you are also a source of potential vulnerability and there are things you can do to mitigate that. >> there's a lot of internet hacking tool is available on the internet that help people. do you think there should be some regulation on that?
8:32pm
>> i don't know about that. having been through just anything that is regulatory that could be in the congress, i'm not sure that anything would happen, but i do think there's nothing wrong with the sense of public and private responsibility. the internet is a huge resource for the world to protect it as a free and open resources requires people recognizing what it is and is not coming and recognizing that they have some personal responsibilities here as well as being able to the right personal enjoyment and fulfillment. estimate the question of how does how does the private sector work with the government. so let's just say that on facebook i have a breach this morning. who might call?
8:33pm
do i call the dhs, the fbi? >> here is the deal. we have an agreement. we have the nccic coming and the fbi has the nciattf and i am sorry to through all the acronyms that you but the fact is a call to us is a call to both because we are closely interlinked and we have people from each organization that's one of the reasons and as we go through an event, we to make the decisions as to whether it is an investigation the fbi should take the lead as they normally do on the investigations, whether there is a system protection of vulnerability that needs to be explored whether there is information that needs to be shared to the broad for gold that normally is us and the fbi together. so we will work of the event but
8:34pm
much of us work jointly. >> we all are and i found this who is in charge question. it's kind of old think. we've got to do this as a team. the director of the fbi, the head of the nsa and myself we meet regularly. we have folks located all over the place. a call to one is a call to all three and that is how we are proceeding. now it is an incident of such gravity and dimension that you have a national disaster on your hands i will tell you who is in charge is the president of the united states and she is the one directing the response. just as you see him now on hurricane sandy.
8:35pm
>> what is your biggest worry? is the bank, the power grid, water? >> yes. right now financial institutions actively are under attack. we know that. i'm not giving you any classified information. and they have them. >> what kind of thing is happening right now? >> that i don't want to go into but i will say that this is in the nation's largest institutions. we also have our stock exchanges attacked over the last year's, so we know they, are there. there are vulnerabilities we are working with them. >> are they actually taking money? >> yes. i really don't want to go into that. all i wanta say is there are active matter's going on with
8:36pm
financial institutions, the energy sector is a concern because of what has happened in other places in the world. but when you look at cyber in terms of infrastructure, we've actually divided the nation's core critical infrastructure in the sector, and we know that there are different types of attacks and methodologies that could cause great damage so even as we see what is going on now, we have to be thinking proactively what could the next wave be and how could it occurred? >> even some that have been the last few days? >> well, you know, there are always nightmare scenarios in any type of disaster preparation. we are going through one now
8:37pm
that is another major nightmare in that sense. cyber can be another and has a great potential to be so. that's why we have to really be looking at this issue on their return on investment. that's why we have to be thinking about the deterrence and how the economics work to go back to the general introductory comments and that's why it would be so helpful for the congress to act. >> let me take a few questions here from the audience if you please identify yourself and keep your questions short. what do you think -- what is the best cost of cybercrime annually what you think the best estimate is? >> the norton study that i referred to is 188 billion then we had lost time and everything
8:38pm
about 400 billion annually. >> 400 billion? >> yes to life seen estimates that very, and i think that we don't have a good way to measure. we don't have a good way to measure in part as we don't have good information sharing. and so it just indicates the need for information sharing ret large and particularly it is more real time information sharing because our ability to help to mitigate, to protect is really dependent on knowing what is happening. >> what would in sent them to share information faster with you and get this moving? >> first of all they would be able to tap into the protected resources that we represent, and we had teams that actually go to victims, go out and help mitigate and we have done this with some very large entities. i don't want to use a google or
8:39pm
facebook and we help with the vulnerabilities of the fact, so they get the benefit of that exchange and quite frankly we have some of the best minds in the world. when i say we amine the federal government in terms of how to do this and so that real-time information sharing and the benefit of that as you tap into this. >> somehow that will outweigh and hurt the stock prices and they will break into these entities. estimate that is always a concern. >> we keep a lot of information highly confidential. that's why not talking about the particular entities but the plain fact of the matter is that if you are operating on the nation's core critical infrastructure in that environment so of their businesses rely on you, households rely on you, communities rely on you there is
8:40pm
a public response devotee that is as part as being in the business so that needs to be reflected in how you handle security matters and that is where the public and private i think your interests are joined but what is separating us in a way is a false dichotomy. we need the best practices shared and utilized and real-time information sharing. and i think that if you can agree on those things, and i think that there is a rough agreement that we ought to be doing something very significant on the legislative front. >> should there be a penalty for someone's negligence if they are of such importance and they are shoddy with other federal offense what is your recourse in the federal government? >> i used to be a lawyer in private practice before i was a prosecutor and let me just say this if you are negligent as a
8:41pm
company that supplies core services, i have a feeling your customers are going to have something to say about that and you are yourself running a huge litigation risk and that is a big cost. >> did you like being a prosecutor? [laughter] >> i saw your eyes light up. >> just wait for the microphone and identify yourself. >> thank you come good morning madame secretary. i am from george washington university and many of my students are over here in the audience. we try to educate them both domestically and internationally in terms of the threat and that gets to my question about prosecuting after you go after
8:42pm
somebody. what happens when you have 200 or so companies around the world not all of the laws are the same what can you do international become and how do you see this even if we got our act really together, how do you see the cooperation developing with foreign countries and other entities and so forth? >> i think that is a rapidly evolving area because there is no good international framework right now to deal with the international aspect of cyber investigation, cyber forensics and cyber deterrence if you think of prosecution as one kind of deterrent. there are some activities going on. for example, the u.s. and the e.u. have an ongoing cyber group by the league of budapest in this month actually come and they are working for some of these issues.
8:43pm
the regular topics of the meetings that eric holder ready and i have with our counterparts in europe and in the g6 so we are trying to develop agreements, protocols and the like that will improve the international reach in this area. but it is very a much an act in progress. >> we will take one more question because she has to leave. right here. >> i'm understand that you have to head off to the federal emergency management agency. so, i must ask you -- understand that mitt romney suggested we need cuts in the federal government and even suggested fema might be a place to start. >> i just can't respond to that. all i know is i've got a bunch of folks, hundreds that have
8:44pm
been working 24/7 for days now and in the foreseeable future and i've got them here and the field working with new jersey and new york and up into new england and west virginia and all of places impacted by this huge natural event and i'm going to focus on making sure they have the support they need to do their jobs and if they do their jobs well it will help everyone with the recovery from this really serious storm so let's focus on what's here and now and what we have to do to get the job done. >> fema isn't going away? >> not at all. i'm sorry but i just don't want to get into responding to the candidate speak. i want to talk about the fact that fema now has become a very agile proactive organization repositioning, things that
8:45pm
really have been able to make incorporated response we call it speed and what i say is mass on target to get people in there as quickly as possible to help people who have been injured or damaged or lost everything so that is what we intend to do. >> when we look at the cost of the storm what do you think in the industry to be the most costly? is shutting down economic damage? >> i've seen different estimates i think they are premature at this time. the stock exchanges going to open today which is significant and the cyber work done over the last 48 hours to check their connections and all the things that needs to occur they have been up 24/7 on this as well but the united states a very strong country coming and we take some
8:46pm
pretty hard hits and we get right back up and back to work and the restoration of the communities and i think we will show the world that's what we do in this incident as well. >> thank you since it's been a particularly busy time. >> thank you. [applause] more now from the "washington post" cybersecurity summit. this panel focuses on how the government might react to a cyberattack. this is a little less than an hour-and-a-half. >> right over here we have general james cartwright, the vice chairman of the trade chiefs of staff, the nation's second highest military officer. he's not a harold brown studies at csis the center for strategic and international studies after spending 40 years in the marine corps. today, he is playing the the national security adviser. the will that comes easily to
8:47pm
him. next to him is william iii, the number two over the pentagon and he served undersecretary robert gates and leon panetta. his job was just this. he managed 3 million people in a budget of $700 billion. today he is the ceo of drs technologies and other world-class labor expert. beside bill is stephen seth pinsky the former deputy assistant director of the fbi cyber division. he has the highest ranking position in the fbi cyber decision and he will be playing the fbi director swedes general cartwright playing the role of the national security advisor and the bill is the secretary of defense. this is perfect to play that
8:48pm
role and we have steve out of the fbi. on your screen you also see their roles that they are playing on your table we also have the agenda. and dmitri alperovitch is the co-founder and chief technology officer at the computer security fixture. he focused business and government on how to protect their intellectual properties, and dmitri is to deploy the ceo of the oil company that gets hit in the exercise. and we have james lewis beside him, the senior program director for csis and he's worked at the state department and commerce and he is a leading on fiber for the united nations group of the government of experts on information security and about town everybody knows what we're
8:49pm
talking about sires. he's the secretary of state today. so we have the ceo of the company, secretary of state coming and we also have benjamin powell, he is the partner and former general counsel of the access of director national intelligence. he also served in the airports and the fbi. and he is going to be the director of national intelligence. >> the role of the dhs so you are going to play both roles today. okay benign grindle leal the scenario and then turn it over to the moderator asking questions. here we go. it's the day after thanksgiving
8:50pm
for people are not paying much attention. they want to go out and shop. it's kind of a lowercase and the ceo of a large oil company is notified at 8 a.m. that a computer virus is shut down 40,000 computers across the company. it's rendered the machines unbelievable. the business systems are down. the computer system contains vital information about the pressure and the safety parameters from drilling off the coast of mexico and the operations. also infected the computer systems that direct the company's trading operations so that they can't find and sell oil. if there are millions of barrels of oil, 1/5 of americans in
8:51pm
output is no longer being bought and sold. immediately on the new york exchange across the board is $5 to $100 a barrel. meanwhile the u.s. intelligence community is on its own. they haven't talked to the u.s. oil company but it's on its own and the virus is called payback and it is deployed by the state sponsored actors in the country that we are calling ex land, the middle eastern country under western sanctions. [laughter] again because we are worried that somebody felt this would happen, it is the middle eastern country that we have some specificity that the intelligence community is hearing they are behind this attack. that's the scenario i am going to turn it over to start asking where do you start? >> this is a major event for your company and are you going
8:52pm
to tell the government are you going to need help to investigate the mitigate the damage. this isn't the day i want to wake up after thanksgiving. [laughter] to priorities, i want to estimate and prevent further
8:53pm
ha a variety of regulators across the government of that i'm responsible to of and the regulatory commission, the department of energy that it is a part of and the department of interior, the dhs was ideal on a regular basis and the environmental protection agency and it is a public company the securities -- >> are you going to go to any of them and -- >> i'm also helping them have a variety of recovery agencies so i'm going to decide what the appropriate response is on the agency's and take a very deliberate action and i'm not going to rush into sharing information with this and the impact until i understand the
8:54pm
regulatory and my liabilities. i also have customers that have to deliver that will suit and determine whether i am under civil liability for fulfilling the line of the contracts. i'm also worried about the stock price is a public company and the fact of the prices of this information gets out i think i'm going to approach the director of the fbi and not necessarily the impact, but the support of the systems and some of the technical indicators that we've identified and my team has identified so they can help me determine who is behind this and what do they do and why they are coming after me. >> so mr. fbi director what do you say to them? what information are you
8:55pm
prepared to share with the company? what do you have to offer the company? >> we had a couple of guys that were on their way. >> at an event like this there were indicators that you mentioned coming out of the intelligence community that we were seeing if i rise at this point all of that is what is happening on your system and how it compares to what we already have so we're interested in the same things that you are interested in who is doing this and how does this now where -- malware have infrastructure or operating systems. but the question you posed as a good one. what information are we going to share with you? we are going to ask you a lot of information, and i think typically if you will back the clock a few years ago, the answer would be we were not
8:56pm
prepared to share a lot with you. it is a one-way street. now what we are seeing more often is that the department of homeland security and the fbi are working together we are going to work with you and offer some assistance if you want to head the systems to help mitigate. the department of homeland security through the search as well as the nsa through misinformation and instructor, which is not the intelligence operation they have a lot of information that might help you, it's going to be offered on the fbi side. we are going to be looking to figure out who's doing this and ask for those records we just don't want the malware. >> how hard will you push to get it if they are resisting? >> if you are resisting we typically will not try to -- we are not going to victimize the victims of it's very seldom that we would serve you with process to get that information. we could serve you with process
8:57pm
to get that information but voluntary how much information we are going to give you about the actor is, unfortunately it is going to be at this point we have records we're going to cover we could get some people in your organization a limited clearance for the entirety of this event. it's just for the situation. so i don't think the security clearance is going to be as big an issue as the content is and why we are seldom going to say this is the country we think it is. but we might actually be able to say we have reason to believe it is criminal. without actually telling you who were the subjects are. >> from my perspective i'm not calling to let you on my network for the experts that can respond so i don't need others in the kitchen right now and especially those i don't control those that don't work for me so my priority is to get the company online and your priority may be to
8:58pm
investigate and uncover what happened to those do not align so while they will provide information what we uncover and let me help you write it defied and i'm not going to let you in on the response. >> you listed dni. at this point, you're thinking is that it might beat a nation state. tell us your assessment about from the actor is and what his motives might be. how much do you know about it and why are you calling it payback? >> we know that they have expressed an interest in these capabilities. we know that they are on the tight that make the tools available. we know that they have been investing in these types of capabilities. we know they've been working with their terrorist allies to develop the virus and mal where capabilities to reach out and touch other countries in the critical infrastructures. we have medium confidence that
8:59pm
they've gone ahead and employee of this kind of capability. we don't know and it's a very murky testing of the ability to see what they can do and what our reaction is and a very longer-term attack that they intend to keep so we back off of our sanctions, so very murky. the actual connection to the terrorist allies is murky. we have medium confidence that they are involved. we know that other countries have the capability k and the other countries would mess up the syria intertwined with there's unlike x land there could be others we haven't picked up that developed the capability and we have overlooked it. the reason that we've called it payback and why people are saying there may be payback is
9:00pm
that we have been the leader imposing sanctions, both diplomatic sanctions come export sanctions, financial sanctions. "the washington post" ran a series of articles about the covert activities but we are offering to comment because the cabinet isn't clear to know the "washington post" stories they are reading our true. we aren't going to talk about those articles but i think the point is from the perspective, they read "the washington post" and they may believe that the "washington post" articles are true and not those activities the talk about, so that may lead them to say if they are doing this stuff why shouldn't we be investing it and doing it to them? >> thank you. the national security adviser assists they've now been disrupted. there are signs this event could
9:01pm
start to affect gas prices and international our kids. what are your concerns and how are you looking at this situation. how closely are you watching this and i would like to open this to the rest of the panel. >> i'm not exactly sure. the price went up before you told anybody. but, working our way through this, the key is that we have found a problem here. what we don't know is is it just in your company or is it broad from the standpoint of drilling and more moderations, administrative operations associated with that. so this virus we have one company now but the potential that its greater than that is probably out there and significant. we don't understand that yet. ..
9:02pm
that would be to support that it cannot now be turning to other cabinet members and asking them to look at this issue from their perspective and provide me breathe on how they see the current committee and potential for the activity to growing some light of what those look like and discuss at some point once we got through that the potential courses of action we could take responsibly.
9:03pm
the first is oil is an international commodity. it has flavor not only in your company, broader. the virus anyplace else seen this virus or light activities how viral is the effect to get a manifesting itself globally. so those are the kinds of questions i would now turn the cabinet and say what you know? would he have in mind? with her possible remedies we could do? mailing and walking into the room is justice to be in charge here, ths and intelligence support. i turn out should bring me up to speed on what they think is going on but they won't tell you. >> so at this point we've received from our at the fbi redistributed to two folks, department of homeland security and of course the federal energy
9:04pm
regulatory sincerity spoken with chairman dwellinghouse. so they are trying to figure out for the entirety of the oil and gas industry what he was focused on him if there's vulnerability and what implications they can take to secure systems all at the same time the fbi will work with the rest of the community to seek retribution. we have a lot of gaps in. one of the areas surprisingly for a is an area that we have to constantly be aware of in this environment that a lot of systems that have now where have now where from products. and so, it is possible you could have now where on a system of a particular state actor and is not in any way, shape or form related to the 40,000 hargett events have been wiped in this case. it's very important to figure out what's happening in that
9:05pm
system, to figure out information from a private sector company because the single piece of now where maybe in no way responsible for the damage we've seen at this point in the investigation, said information sharing is critical. were going to be working with this company, regulatory commission in fbi to get more information out. >> would you like to reagan at this point? >> sure, at the same perspective as the national security dicer. at this point it's not even clear as a criminal action. i think where we go is to look at four different questions to try and assess what we've got good first, what is the target here? is to target our oil industry were generally? or is that our economy?
9:06pm
second, what type of attack are receiving? it clearly seems to be a information, but it's a disruption are moving towards a destructive attack or assets are actually being destroyed? third, what are the consequences of this attack? is it just limited to the single company quiet is it going to affect our economy, ultimately affect our national security by undermining armed forces to respond or other ways. i'm forth, what is the source of the attack? is this a group of independent heart or his? is a terrorist group or a nation state? as they get the answers to each of those four questions, you will see, is this going to move from homeland security, criminal activity towards national security activity. if amiss in that direction
9:07pm
honestly the department of defense cybercommand becomes more central. if it stays more on the home and security was so playable combat is clearly clearly a supporting role. so that's the way research look at it. >> perfect. let me tell you, payback is on the move. it is day two. québec is now regulate this low-pressure oil that mr. the pipeline. so it's been adjusted by the virus because so much pressure that major leagues are happening to washington. so there is leaking oil and pipelines now and destruction. the media has been a data another story is on tv. they're calling it the first destructive cyberattacking u.s. soil by a foreign enemy. pressure is on the company in
9:08pm
seoul as the government not to explain what's going on and how to contain the damage did the dow has dropped. oil is now $13 over the day. meanwhile, u.s. intelligence identified three command-and-control servers. one venezuela, one in russia and when the state senate commands for the virus u.s. intelligence concluded with high degree of confidence that the virus was developed by state-sponsored actors and ask land and not a high degree of confidence, but there is some chatter that they have another target in this virus is not going to stand oil companies. new fact. run a search on here? >> i think so. given "washington post" story says, probably something we have to worry about.
9:09pm
[laughter] but now i think the general realization that we have not seen everything yet unfold, second that typical cyberattack activities are probably most crippling and undermining confidence of the public. and so, courses of action addresses of the public and how we'll do this. we haven't gotten a sense to the external oversees implications to the standpoint of other damage up there. i need to know from intelligence community what they know is that date from the ei, have forensics disclosed anything but give us a way to get ahead of the activity and recommended courses of action and now given the implications of country ask land, what types of things can we bear state department and dod
9:10pm
to influence potential there to descend further further escalation of this? >> we had an unpleasant meeting with national security adviser for they said he needed more information, so we reprioritize our asset the intelligence collection apparatus -- [inaudible] as he said, we conclude now if i confidence that ask land is behind the attack. it's not just a murky explanation, not just a conclusion that there mounted us. there's a lot of countries in the world nodded us, but it's clear that x land has a strong hand in guiding and putting in capabilities in the hands of their allies and using them from
9:11pm
their country. in addition, we'll were not absolutely certain of those, we understand from technical and human sources that it's not just about the company. it's about the entire world sect or indefinite indications, including possibly the financial and banking sector. we are not sure that's the sector they are going to go after, but it's clear they identify critical infrastructure and go after another sector. i should say the last part is extremely sensitive. our sources and methods for picking up the information and knowing what plans are a very sensitive and we may lose the ability to do feature reporting. >> state department particularly now that we have two servers located outside the united states and implications of that
9:12pm
plan. >> my first thought as any to send a strong signal that this kind of behavior is intolerable and we need to send it not only to x land, but other people who watch her reaction. so far it hasn't been particularly strong comes to me to think about how to pick up our game. we need to work with allies in europe and middle east to come up with some kind of coordinated approach. what i would say is we have about as many sanctions as humans can possibly think of in this country. we have put as much pressure through diplomatic channels and in coordination on economic means is we can. so we have to think about additional ways to price this country together the lines, not only because when a conflict with them, but because we want to send a message to other countries watching. this is not something you want to do to the u.s. now the location of the servers
9:13pm
in other countries, from a peripheral issue is a central one with a strong message. in this case, we don't want to set in the unfortunate. our are conditioned consistently for more than a decade as nations are responsible for the action taken in cyberspace by those residents on their territory. that is u.s. policy. that means going to the countries where we've located command-and-control servers and saying, here are things we need you to take action. we're happy to cooperate with you. perhaps it is sending fbi to jointly investigate. if you do not respond, we'll take that as a final possibility. we need to start defining boundaries for conflict. >> i would like to state department to one carry this in the u.n. silica to the international forum, particularly if it continues to
9:14pm
escalate, to frame the declaratory policy for the nation's absorbers, but may not be participating so that it's clear and search link of other diplomatic actions that could potentially be taken to cut off the escalation of the activities. in other words, attacks on us for a larger group him et cetera. >> i don't want to take off the table action beyond diplomatic action because they think would've exhausted many potential diplomatic actions and summoning to think what are please to send a strong signal to the leadership in x land and other places including covert actions. >> quick question. so for the u.s. government has said nothing publicly about who they will lose behind the attacks. her speculation and media based on leaks and credible sources, but the u.s. government so far has said nothing publicly.
9:15pm
what is your decision assessment as to whether or not he should publicly identify x land behind the attacks and should you give some sort of public proof to why you believe that? >> once i worked my way through the entire national security crew, i returned the intel people for confidence. we do not and i want to understand what justice knows or doesn't know at this point. are they ready to come out with that kind of the declaratory statement covering note with some sort of certainty because it's a big step. it may be the time to do it. it may not. the threshold would be something in the rules of evidence we could point to or in diplomatic that could point to. we have not built our case completely as the scenarios unfolding, but we try to understand so that's part of what we try to get through. alternative or to justice to get a sense of where they are now.
9:16pm
>> a lot of good things happening because censoring of the command-and-control we disrupt the activity which buys time for the nation to figure out what the elements of national powers in this case. we have folks in russia as well as the united states. that was the easy part. for getting great from russia. venezuela however we've got requests from law enforcement and also from dhs and they have not been as responsive so far. with respect to the question of, those based on sensitive sources. the malware itself is academic research occurring at this very moment and published. but the fact group associated that with x land is not something we publicize because we'll lose some very valuable intelligence capabilities. >> i turn to dod given the trend
9:17pm
here we have two better terse external to the united states that we don't potentially venezuela and the server they are. it may not be venezuela taken action, but the server is spewing now where i'm then we have the country who is suspected so would look for some courses of action should we have to move all the wit to the point of actually stopping this in a kinetic way to lester to these and both countries to convince them. i want to make sure you consider escalation control so we feel like we can move in a way that stops us, that the adversary knows that they need to do in behavior for us to stop pursuing him. >> i think we would want to bring two primary courses of action. one would be a cybercourse of action if were not able to address the venezuelan and
9:18pm
perhaps russian server that they would be options to respond to that and we could move up the ladder of escalation, blocking gateways to the united states, potentially up to and including taking down the server. we have to understand that the collateral damage would be if we were to attempt that, how quickly we could do it, work with state as to whether we are in a position legally and diplomatically to take that action, whether you want to wait until you're in that position or not. that's one set of forces of action. the other package in this area would be military actions against x land itself. code beside her,, go beyond saber in traditional military tools mvp working as working us assets they could bring to bear, how quickly we could bring to bear and again what the
9:19pm
consequences would be if we were to use those if we're in the process of developing courses of action. >> finally, separate from the group we reach back out to the company and just get a sense from the company of their ability to continue to contain the committee. dhs to be a representative in doing that. >> i'm not having a very good week and i'm not happy for a number of reasons. my business is really impact that, but even more so not happy this has been leaking out. i can't be certain it's not my employees, but i'm quite certain there's other services like in all this information out in my attempt to contain this is not work very well. at the same time what i've read in the press is more than the u.s. government so that makes me doubly unhappy. at this point we've identified the three servers within our
9:20pm
company as well. we've identified servers outside of our company of the now where am we've taken action authorized by general counsel to center russia, venezuela and u.s. companies. we want a couple things from them. when we want information on the servers and tracking related to the company with data going into the servers. those servers and the reason that is important is because some huge company. i have a lot of subsidiaries. i don't hunt on my networks and some of my networks are out on the oil rigs in paris places where it's hard to locate them, so i don't know the damage that i've taken, so i need information from the command-and-control services to what factors have not yet
9:21pm
identified. i've also been advised by legal counsel that i need to take more aggressive action in attempt to shut down servers through offensive action and use it as basically a legal necessity defense to act in self-defense to protect my network. i'm not yet ready to do that cannot be done in consultation with u.s. government. but for physical damage occurs, that's an option that we consider the u.s. government does not act on my behalf. >> which you are in consultation with the u.s. government is we want your information. for not looking for you to start shutting down servers. we've got this at the highest level. the president of the united states has been briefed. so we need you to not take action. we need information you're saying. if you can mutuals the government doesn't have her visibility to this problem would be grateful for that as well.
9:22pm
>> here three hours? i'm not going to waste time. >> i understand that that's your position. i cannot condone that. you're obviously going into risky territory and were selling to the government is on top of it. >> from a foreign policy perspective it might serve the nation better if we were to take action against you if you were to attack other countries. with reason or not, this is not something for nurse will take lately. one of the things we underestimate his reaction of the government. we don't want to assume the venezuelans know what's going on in this or perhaps anything else. so go in and taken action their country but they will perceive as hostile as a really bad idea. we want to set the precedent that these actions are unacceptable and we need to find a strong way to get that message to the people in x land. that doesn't have to be a public
9:23pm
message. we don't have representation or come and we see them in vienna, new york, people who can talk to them. we need to start getting the message out back off. >> one last bit of new information and then they want to talk with everybody about how to contain the damage and what kind of reaction. so payback is now hit the controlled system but one of the physically disrupts the process. again, when the company of gas and oil in the states is a big deal, we have an story for two weeks, but because it's only two weeks now, the stock market is down 8%. gas prices are going up. so that's the end of the information you're going to get. i do stop this and what kind of retribution are we telling you to take?
9:24pm
>> when he started off with a group of men will go down the line and talk. i think first of all the action provided external to the united states are your reasonable range. i return back to you to work with states and look at the lowest level possible. we have to be mindful that were in areas it doesn't have precedent to it otherwise it's a response to a cyberattack. can we character is the damage in a way that we can be proportional. if i pursue good and meaningful in being able to go after venezuela? are we making precedent there? was an appropriate range of activities associated with country acts that we may be able to do that much of the diplomacy, put us back into diplomacy in the diplomatic tools useful again without getting too aggressive too
9:25pm
quickly. one person said of the equation, just want to make sure we understand how your case is proceeding, number one. number two, how you can tell us we might go to get ahead of this problem. intelligence need to support palm person in doing that in states, are you building international case moving forward and what luck have you had there? i'll stop at that point. >> let me start. i think the cybercourse of action which show promise here at this point. i think we do have options to address the venezuelan server. i would suggest we probably want to move quickly to exercise those silly can move from that server to another server. should also work closely with the intelligence community to see there was mention of a second plan of attack, probably possibly coming from other servers. can we identify where the
9:26pm
servers are in move to block the payloads from living out the servers before attack occurs. i mean arena at defending against this attack is possible follow-on, we should be quite restless. you should probably have diplomatic repercussions. there's some risk of collateral damage. we are to assess before he knows, but i air on the side of moving quickly. on the other side in terms of direct action against x land, i would move a bit more cautiously. i think were not at the point when we want to move military tools so that we should move them into place and develop the plan to exercise those if your recommendation of the president is that we do so. i think others intermediate set in the cyberand related areas. in particular the secretary of
9:27pm
state has mention we probably do the economic diplomatic pressure probably as holy as they could. i think the next step short of military action is to see steps we can take that threaten the regime's control of the country. other steps, tools that they use to control, to keep himself in power. the media, internal security. what are the props that hold them up? short of overt military action are very modest action or covert activity, cyberactivity, can we threaten the ability to govern and stay in power would be the course of action. >> can you give us a little more specificity as to what type of cyberoptions you're thinking of. for instance, do you think of
9:28pm
using cyberconnect to shut down the server and origin of the attack? >> i think would run a series of options because it's a presidential decision and i think they would range from fairly defensive, blocking things, gateways into the united states, blocking things that make points and all the way up the ladder to actually taking the server itself down to offense of action. we developed a sleep of options and i think it would be the president's decision. it would not be secretary of defense or cybercommand. >> has this happened before in reality? >> i don't think we've seen this kind of distract of attacks on the u.s. >> the kind of covert cyber-- >> i only know what i've read in
9:29pm
the "washington post." [laughter] >> kaman, you're at the pentagon now. but this has happened today in and day out? just what you describe, covert cyberretaliation. is that going on? >> this is a very dynamic area. at each level as types of attacks that are developed, responses to the attacks moving up a ladder as we speak. >> the short answer be no. >> what we need to think about is we are now in a situation that we need to recommend for your situation where he needs to think of coercive measures. we want to force another country to change its behavior. and don't get hung up on the
9:30pm
servers. who cares. get hung up on the primary target. in looking at the diplomatic repercussions, i think conventional military action, kinetic action is probably advisable, right? >> you're doing great as secretary of state. >> yeah, i seen them in action. one of the things they would normally do at the president decides this is a major incident that deserves a powerful response, we could go to nato and say it's not an act of war, but will it be sufficient to trigger article for consultations with the allies. we could stage with other nations in the area. we could hold joint exercises with some of her closer allies. we could send discrete messages to senior officials in x land's
9:31pm
government. remember, the roles of governments of international affairs are different than in court. we don't need to prove this to the degree to bring a court case. we just need to say look, we are including some which are up to do we really think you want to pay attention to how we're reacting and you need to stop. but we need to do and i don't think what we've done yet is the country is we don't have the mechanism for course of action we do in other areas. it's not a well greased machine mainly because we haven't seen any in the dense yet. if this is a physical invasion or something else, this is a territory. >> my sensei said this stage of the game is that we're dealing with potential is significant impacts, maybe environmental, this certainly to the energy flow and energy market. but we are doing it in a
9:32pm
cyberenvironment for which we have not acted before. or trying to move carefully here, understand the precedents we were playing outpost for country acts in any other country that might be hosting wittingly or unwittingly the virus and putting it out and trying to match that with tools we have that we understand implications and use of the tools. we don't have a clear-cut case yet, which is almost always going to be the case. there's ambiguity here, so we have to move in a way that manages escalation, is understanding of the implications of the precedent that were setting and that we build our case as quickly as possible in the international forum. so i think the department of defense has done the right name and giving ms a tool potential that mr. covert to covert insider is a potential way of
9:33pm
managing the site tbd we may not want to be overt and accountable accountable -- not accountable, but a state contractor doing in a covert basis on attributable. that may be one of the tools the president might want to use here, rather than being a attributable insane were doing this. it's just a decision that will play a based on the advice we get from people in the knowledge we have at the time. we want a range of options for sure so as the activity forward, if it continues to escalate, we cannot set ourselves up short of the target. so those are the types of things would be asking across the table here. and i don't want to but the scenario, but nothing has moved internationally here coming up there's no real reason why it hasn't because they are not a unique company. so were trying to understand how this unfolds in the time that
9:34pm
peter is a little shorter than the game has moved. those are the kinds of things each of these departments would be putting together. they did make recommendations to the president. a president has a range of tools. we have to bring in the congress at this point and make sure they understand that were contemplating because the constituencies they're accountable to that we provide them the information. those are the types of things going on now. we are at that precipice. mr. president, here's a range of options. the likelihood that we would invent something, use it to we've never used before at this point would take a lot of convincing probably to move the national command authority for the president in the direction they've never been. >> is anyone helping the oil companies? >> i have to say is a private sector veteran and not feeling a
9:35pm
lot of welcome from the u.s. government. in fact, i've been threatened. and in fact, what i've been told are still delivering what actions to take a >> how long do you expect this to continue before you get operations back to normal click >> i'm trying very hard because of the destruction to go to each machine and locations all over the world and replaces hard drives it's going to take me weeks to do. i don't know if there's other attacks. they'll impede my ability to do this response. at this point i think of ways i could pressure u.s. government perhaps poetically if information is having getting questions from every port in the nation. >> i want them to shut down the attack. i want to make sure my systems are not further destroyed. at minimum, i want to take down those countries that are least
9:36pm
not threatening me for taking action of my own. >> some of that some of that eccentrics are your station of what happened. [laughter] >> we came in, offered in tonight for assistance. so if you're ready to go public and were happy to tell you shareholders is an empty assistance to the department of homeland security. last night but i think we are at a crucial point. we've got the russians in your servers are down. but the venezuelans are so quick and you've given me three hours. i'm going to let the president know that the fbi has the capability to remotely conduct an operation to the server in venezuela as a criminal action, a transnational search and seizure to stop it. the capability could be extended to the nsa can, used under any authorities. if you title x, title 18, title 50, with the capability to go
9:37pm
when at least to prevent a third party trying to defend systems from doing it on their own and it's very hard for me to have conversation with the oil company if were not going to bring the server down pretty quickly. >> my senses this is the heart of the conversation occurring inside the administration is what is the appropriate authority? action under the authority and is it justified and is set up for riyadh, all of those things. the default would in fact go to justice at this point. they may be assisted by intelligence for defense, but we are better off working in the justice venue until it's not appropriate am no longer capable. number two, you bring a bit point that we would work into forms and said the administration was ceos of like-minded companies nationally
9:38pm
and internationally to keep them informed of what's happening to you. you would be included in this foreign to see what we're trying to get accomplished. you've also had a sense of the them or am i one of many, which we don't know tech ugly yet. to keep the information flowing. you deserve that. you should have that opportunity. you will have incentives that were not going to move. we understand that. we may not like it, but we understand the washington posts will always be there for you. >> conniver request for the dni. what i think would be most helpful would be to remove the offensive end vulnerability that x land has. that's one of our biggest problems is people take actions and there are no consequences, so they feel vulnerable. to the extent you can specifically identify the machine or the entity
9:39pm
responsible for the attack in x land, i would recommend the u.s. take some kind of action, deliberate cyberattack against that end. >> could you describe what that might look like? >> would say you have your camera facing you. what say you have the ability to turn to see the guys face. i think there would be a lot of fun, right? once he saw his face and make you had this idea, then you would want to think, are there ways i could go when and block that machine, that software, whatever, from taking further action. this could be done covertly. did they have the capability that is removed? suit would be hacking into their system the way they packed into arson turning off some of their program the way they've turned off some of the oil companies, management control programs. >> i want to make sure you
9:40pm
maintain escalation management configuration. >> i don't want to see this data was once a military to act, but -- you want to think your way through in fact whatever to do you take, what's the likely counter to that? make sure as you mentioned earlier that we have someways make it very clear you're not going to win this escalation game number one. number two, it would also help if it is trivial it may actually spoke out the legal side. and others can we make it the smoking gun they did in fact come from the place, what hope is an international forum justify the activities we think are appropriate. >> with your recommendation? >> things are sliding my way. well, we don't have enough to do enough information. >> you have more information?
9:41pm
to have more information? >> we definitely tied it to x land. since things are siting on my way and i'm going to be on the hook that i should remind everyone come including the president that we could go into iraq and all saddam's generals thought he had wmd and the whole international community thought he weapons of mass destruction. i have high confidence that this is x land. so i remind everyone the meeting were not going to go to see the video with them sitting around saying okay, you're so are doing, here's some are going to do it. i remind everyone it's intelligence and so we may never know the true answer. so the president's going to have to be at team. i'm not able to identify a particular machine. if we do that the president's decision could be very -- a very easy one at the problem from the
9:42pm
intelligence side as it looks like x land and allies are really acting that networks need come acting to u.s. government speed, think about escalation management. venezuela has been in the "washington post." they know where the genocide venezuela unfortunately. they're looking at other places, western europe, servers and a shirt to move to we believe. yes if they go to germany we can go through a process in germany and transnational seizures in the same if they go to japan, if they go to china, if they go to servers in russia. the fbi at network speed is going to be a question here of whether are going to have time to work through international organizations that don't move at network speed. some of the things the national security adviser and secretary of defense had to consider is
9:43pm
are we going to start acting at network speed and taking action unilateral and the cyberbomb without being able to consult with each ally where something may be going on. we can't wait 24 to 48 hours. by the time the country says yes we're going to take care of this, our police are on it, they will move again because of washington. so is the secretary of state's point, were having trouble figuring out how to get their attention. we've tried for many years to get their attention. we have somebody's attention to mess up their money and we are very much mess with their money and the regime's money and we have their attention. so there's additional responses we can take. the final point for anyone who's ever had their i.t. systems upgraded in their company had
9:44pm
problems with the upgrade. our actions are not going to be perfect. so we reach in the systems, which when we upgrade or on they go down and not unanticipated problems. were going to be into systems of over talking about here. our laws are very strong on the fact we can identify a perpetrator. we can take action against the perpetrator and only the perpetrator. we talk about doing things on keeping the united states, blocking traffic, those types of things. i can't give you that kind of certainty. so we may be touching people's traffic. we may be impacting systems that are not just a precise surgical strike. so the president and national security adviser and national chair dickie team consider flow back because it's likely we're not going to be perfect and
9:45pm
maybe the phone systems are going to go down overtaking action. so i'll turn it back over to the national security. >> just to clarify, there's no cyberwarrior team government defendant and it's a foreign government, for not yours, so there's no fire brigade, no soldiers come in the cyberwarrior that can go in and help them at all. to private industry keeps asking, where is the hope? >> the department of homeland security working at the nsa intelligence, information assurance as well as the industrial control system readiness team and have a lot of knowledge in this area in many of the companies in the oil and gas industry and taken advantage of mitigation strategies that the department of homeland security is provided free of cost and it answered the fbi,
9:46pm
done studies that have been quite helpful. >> in a crisis here. >> in a group. >> and help them try and -- >> security, msi, sign a nondisclosure agreement with the company so they can protect or try cherry information when you hope what happens is the cyberteam of the come name and cyberteam from the government would work to understand where the attack is coming from the forensics and move as quickly as possible to get information so we can take action. >> from my perspective the company had a lot of resources. i don't need their help to go and replace hard drives. i've known people to do that. i know my network better than they do. >> are you going to let them in quick >> no. if this is a state actor the company is not the focus. it's nice, we want to help him, that's swell.
9:47pm
but there's other issues more important that only the federal government can do. >> those issues are quite >> the issues are how much evidence do we need to feel comfortable taking action? what would those actions look like? will be be diplomatic, public, forceful, covert? what authority so we take them under? i whisper for a title 50, but the ushers me. >> that the intelligence authority. >> overtook him on may. we're we're going to ask a couple final questions. if anyone has questions for this illustrious team, raise your hand in the jamaica. >> -- the government took the ball and ran with it in the private sector is that they're going hey, what about me? magister source for you guys to go play and i keep leaving here? asked the question in the private sector will ask in one
9:48pm
of the reasons why people are nervous about the legislation in the executive order coming that all they're going to do is enable disability to dump all of the driven away with it. >> confusing issues in a way that's unhelpful. that's why so since we've identified this is a state that year, i detect a congressman a couple months ago and one of the more conservative ones said the air could do anything better than the government. if it is that really true? what about national security? so this is x land can a country all know and love, when this hostel engaged in aggressive acts against the united states for decades, then there's a fundamental responsibility for the government to take action. of course we want to help the company should they choose to accept it. but the fundamental issue is that this data is how do we defend the nation and that is a federal responsibility.
9:49pm
>> and that's really core. we're trying not to fight the scenario here we have gaps in knowledge and whatnot. but it is very important. is a complete activity going on below the federal protect the discussion, which is in fact year of the tools i can give you, here's the help i can porcine you, but i sure like you to help. this is bigger than you? those are questions we don't know in the scenario here. but i agree at the end of the day we played about as if this is a threat against the nation in trying to elevate that to give you a sense of how the dialogue would go with many other dialogues going on at the same time. >> to be clear, not necessarily recovery, i do want to help in shutting down their explication of my network. >> and in the real world, the difficult answer to the come to
9:50pm
me maybe if you're getting attacked by x land and they are very good, the government does not have the magic potion or holding back and not sharing with you. what you need is the blocking and tackling of basic cybersecurity. so is the company in the scenario, are they at that high level of cybersecurity already be taking the steps that would eliminate 90% of cybersecurity vulnerability. that said, even if the company does take steps, which he did during the scenario if it's not as if the u.s. government has some magic cybersolution but if only -- if only they care to the company, they could magically stop the attack for the fact of the matter is the company has to raise its game on cybersecurity defenses probably. they may not be at the high level of cybersecurity, so they're going to be blocking and tackling to do internally is going to be costly, have an
9:51pm
impact on share price. they're not going to want to see the investment it takes away from the revenue bottom line. even the helping the company they do no system specimen is not going to be in a magic solution to automatically. >> when the audience questioning. >> one more point on not. my experience the last two years and the government was the overtly hostile reaction from a company that government is actually unusual. the bigger problem that i've seen is the slowness with which the company recognizes the magnitude of what they're facing. but when they get to the point of asking, the relationship works well, recognizing early enough that they need the help that is the challenge. >> okay, one more question. >> i'd like to follow up on a theme and not talk about country
9:52pm
acts, but maybe country see in the idea that we have not only these kinds of attacks, which are focused on one company and 40,000 computers, but also evidence accumulated the exultation and data proposed proprietary national security and we also have evidence that there are price being planted in our systems that are there for a while and may indicate a duration for more lethal attacks later. when does all of this become rise not at the level of espionage and so on and rise on an active word church through accumulation. the difficult challenge our government faces. >> adobe to the wrong conclusion
9:53pm
when he said countries he meant either chat or cameron. so it's not what you're thinking. [laughter] >> all start at least in that let others piling here. the question here and you could argue this in the abstract for other and we have an justice struggle with is an activewear well beyond non-kinetic activities like cyberinto kinetic activities. there is no heart. it's in the eye of the beholder. the question is for the country, what are those things you believe put us at risk as the nation, as an institution government and when we cross that line, what are the scenarios that lead up to that such that a group of people come in your cabinet and president
9:54pm
come to some understanding that in fact this is something we have to act on. you are in an area where there's not a lot of precedent here, but even if there was, like in the kinetic site, it's not an even playing field. we've had ships taken over, and this is taken overcome except those are not ask a lawyer are not treated as activewear. so what is to look like? you're asking the the question about would like to know the answer to. i just don't know today there is a black-and-white answer for that question. >> i'd even take it down a different path. too often we focus on board you cross the line of espionage and devorah? there is a third dimension there, which you alluded to, but the effect of intellectual property. in many ways you don't have to get to fax a war at all. you can put the looks and that would make her systems vulnerable, but even if it
9:55pm
didn't, i would argue that what cyberhas done is change the scale and the speed with which nations can steal intellectual property and thereby fundamentally change the game in over a course of years decades do real damage to economic competitiveness and technological advantages. and indeed maybe the real national security threat, not some overt attack, but undermining economy that we ought to look at tools to address the intellectual property regime, which the current tools of the intellectual property, the current regime isn't equipped at this point. we have to pursue down that path, not just the military part. >> midland achromatic or book reviews to this point. the real response is the intellectual property centuries-old.
9:56pm
the british used to do at their industrial secrets, which is true at the time. he kept technology a generation ahead, so you're always five, 10 years ahead. cyberhas repressed the timeline suit can no longer be assured of staying ahead peers of the type you have to look beyond the traditional tools. >> do you see any solutions? >> there isn't a set of pure solutions. there's groups out there, governor huntsman from attending blair leading intellectual property commission reporting out the salt is trying to those kinds of tools. >> is worth noting quickly there are three major international negotiations underway. there's also to sit desiccant negotiations underway. the next couple of years to see
9:57pm
answers to these questions. there's two parts for this ambiguity. part 1 is insisting that her? insisted that her, it's fbi and the company. is insisting that are, i think the illustrative and not, where's the fun existing international law. under international law and practice. espionage, crime, viscous to your point. espionage and crime are not the use of force and therefore would be difficult to consider them as something that could be considered inactive or. a political decision as general cartwright said, but we don't even get to that point. there is the ambiguity that if he reaches a threshold where we say okay, now it's like the force i'm not one. i think the list right, i don't think we've worked that out. but don't be surprised if you see a merge from ministerial in
9:58pm
a month, some sort of guidance on how to treat these things. >> when you think about the tools in our tool chest, one of the things we haven't explored is the use of private sector in areas of economic espionage. the espionage act does not have a civil remedy denied years ago. it seems right to figure out what the role of private sector is in actually going after either the nationstate for assets can get frozen of the nationstate. or those who are actually getting the benefit of the nationstate. it seems to me to be an unlawful subsidy and nationstate is provided you with trade secrets. so there are more tools in the tool chest. there's no doubt the government recognizes the intellectual property is rising to a level of economic security and national security problem, whether or not there's reason to figure out
9:59pm
what level you've created a national security and so much impact a similar to an activewear sabotage do you need to rise for a level of an activewear. i think these conversations are good because they bring in authorities in jurisdictions and in that way start looking for normal behavior. you see that in the area best panache there's not a lot of normative behavior. the rule of law prescribed towards warfare for hundreds of years. he don't get your scoops to the table. a couple thousand people work on policy all day and publisher. so the communities across the world are geared up towards making policy and coming up with normative behaviors. maturity start seeing discussion being played out now. so it's espionage acceptable in critical infrastructure or the
10:00pm
capability could be turned into a sabotage? is that where you have to draw the line, but you can't start exploitation and if things go wrong to bring some critical infrastructure or the bank and finance system. so you see discussions of behavior. >> were going to have to end here, but i think one final question as we sum up the things that you really make terrific way brought up. >> this has been a very constructive debate in an area that is new and emerging. ..
10:01pm
>> there are commissions out there. there are activities inside a cabin at the level organizations. i have seen significant work in the loss schools and universities that are now starting to zero in with some precision on what is the question we are trying to answer. what is the answer look like? what would drive the answer?
10:02pm
so this is maturing. it is maturing at a rate that is commiserate with understanding the threat, which is really, for the most part, intellectual capital and crime. including putting those two together, it will emerge over time. the one thing you want to be talking about is policy and law. when this activity has not yet matured. we don't really understand and cannot precisely characterize his form yet. that is the only caution that you have. but you don't want to be in paralysis. the questions are being asked have to be asked. >> let me make two points out of the exercises that are well constructed. one is the tension between network speed and government decision-making speed.
10:03pm
one has trouble operating, but there are reasons for that. you are considering the diplomatic impasse, the presidential impact, whether or not collateral damage exists it is not the that the government is slow, but there's a lot of serious inquisitions to this that have to be taken into account. that is obviously more attention within the cyberissues than it is with the diplomatic activities. we need to try to move as fast as we can without moving up the critical areas. cyberis a little bit unique in the national security arena and that it really highlights the need for public collaboration. you cannot do this on one side or the other. this is pretty clearly a public
10:04pm
good. no individual company has the kind of security that the nation might need in terms of protecting the critical infrastructure. but the government can't just come in and take over. it is not like some other domains and almost all of the assets are in the private sector. so you have to take account of that if you develop the new security regime. secretary napolitano highlighted in her marks the importance to build that public and private collaboration. i second that idea. >> thank you. i appreciate your time and we will continue to take a break now. please continue. twitter is going crazy. a huge thank you to our panel. [applause] >> the wash -- "washington post"
10:05pm
security summit. this is little more than an hour. >> there has been a lot of talk about legislation this morning. were the first thing that janet napolitano said is that we needed. we need something that plugs the hole and some kind of framework that helps the former deputy at the pentagon. they just said the same thing. we will talk for 20 minutes about this legislation. now we hear it right again. let's talk about what it would do, and if it doesn't happen, what kind of an executive order would do. with me i have secretary ratner. he is a senior adviser at the senate homeland security of government affairs. along with him we brought back our former secretary of state,
10:06pm
james lewis, who will speak up about his idol. all right, let's talk legislation. we will talk to steven bucci who is on the next panel. when we need is and this and what would you do? >> i think the demonstration or the exercise right before it was really highlighted, senator lieberman's bill contains both information sharing and targeted critical infrastructure that the nation has. we actually modify that bill before going to the floor. which i also address critical infrastructure, and we did so in a voluntary incentive. >> so or if you are a company who is president of your vague, what would you do? >> will be to set up a process.
10:07pm
those in the government can come together, determine what the risks are come and work together to develop standards that the critical of the structure would have to me. if you already doing what you're supposed to do, if you are doing as much as you can, there is no change. we are looking at those companies who have not taken the necessary steps. >> we heard -- is this true comedy and? >> general alexander has decided that several times and i think he actually said 80%. >> okay. i think what we have seen his basic hygiene does illuminate many of the threats. now, i think that it would not prevent the most visited
10:08pm
threats. >> so there are unhygienic companies out there that if they go down from it hurts the country. so what is the hammer from the government on this? >> there was a hammer. in some respects. which is meant to be a last resort. i think the regulatory scheme has crafted and it was the last resort and that hammer would have to be used. >> the hammer was the regulatory find it is an incentive-based scheme and it is voluntary that companies who choose to opt in and to craft minimal standards however they choose, they will get protection. possibly procurement benefits. >> what does that mean?
10:09pm
insurance is cheaper? what is procurement benefits? >> procurement benefits, if they are a government contractor that the government can -- >> so there is money either way? you don't do it, you're going to get hit, if and if you do come and get some money? >> yes what is the big deal? >> there are a couple of issues. i should point out the 20 controls are talking about. we publish them two or three years ago, so we know what to do. we are doing it. so how do you change that? >> what percent are not doing it but we know what the remedy is? >> it varies from sector to sector. in some sectors, thinking telecom, they are already sort of maxed out. in most cases, they are doing everything you could want. companies have an incentive to
10:10pm
do cybersecurity very well because of their business. so the companies that have a direct incentive do pretty well. companies that don't see that direct incentive maybe could use a little improvement. but the issues that come up for me, and incentive is not a t-shirt or one of those little pink rubber bands you get to where. for procurement benefits, the incentive would be tax breaks or direct payments. we are not in the place where we can make meaningful incentives available to companies. an old washington, the bill would've gone through umax we don't want to spend the money. we have more money than we ever have before. we spent it on maybe the wrong stuff. so what can you do to get some real money? well, that may not happen. the second issue, it is you've
10:11pm
heard this book. in the house and senate and democrat and republican. do you think you just do the job? usually come, members have come to a conclusion and the lack of incentives -- the role of dhs was a critical handicap. we'll although thing, and this is not fair that they don't think dhs should be given more authority for cyberspace. >> doesn't matter? >> sure if. >> some in the government? did we get hung up on which part of government? >> we should. there are basically three that can do the mission. people have concerns about capability. you heard some of that with the body. concerns about this with dhs. >> some say they have 600 some jobs going. >> what is going on is what we
10:12pm
have asked. number two is the nsa. when they say i want to put an essay in charge of all the public networks, it doesn't bring screams of joy. [laughter] but even worse than a corporate perspective is, okay, it's not dhs and it's not nsa. how about the fbi? >> did you get that last one? >> i did. the problems that we have are the ones of the general counsel. the general counsel -- dmitri did a really good job. am i going to want the fbi crawling over my network? the most for the most part, they're going to say no. so it defaults to dhs, but people do not trust its. >> it. >> okay, so if you stick more money in the chain of command, you think that the private sector would sign-on? >> no. i think you really need to focus. you try to do it at the end.
10:13pm
you don't need to regulate the whole world. we don't need regulate the whole economy. different sectors are in different places. one sector -- maybe you don't care about it. technically agriculture and national monuments our critical infrastructure. banks and telecom, they are doing a good job because they have a reason to do a good job. it is those sectors in between the ones that are not cyberoriented than the ones that are doing a good job that we need to focus on. the bill could have been a little bit more precise than saying that this isn't going to be, you know, cover the globe kind of regulation. this is not going to be prescriptive. i think this would help a lot. >> so we hear that a new bill will be introduced. but it will be better and streamlined than one point. >> senator reid switched his
10:14pm
vote to be able to bring this bill. he announced recently that he intended to bring cybergo back to the floor. and he made indications of that will happen. >> will change? >> it remains to be seen. i think a lot depends on what happens on tuesday. because obviously it's much policy as there is, there are also politics. and you have to kind of see what the landscape is. >> the president obama wins, what happens? >> the two important pieces of legislation, it is the critical infrastructure. the white house has indicated that they are moving forward on this executive order. and i think regardless of what happened, we will go forward. to them, this is not a political
10:15pm
issue. they believe this is critical to national security. i suspect that they would shoot that either way. so then that leaves congress. in light of that, what can congress do? i think there are people who think that we should bring up the bill again. and to try another crack at it. i will say that the bill -- we lost 5346 with five democrats voted against it. and in the postelection, things change. some of those concerns may be addressed. we will be a lot closer. whether it were passed who knows. >> what is the executive order, and what will it say? then we will take a few questions. >> sure. i think that much of what we did in title i can be done by executive order. the only thing they can be argued -- for instance, let's identify what puts us most at
10:16pm
risk, and then let's work together to come up with standards and best practices that we can issue. the only problem is you can't offer incentives like that, which the congress can. >> can there be penalties to an executive order? >> they can leverage their existing repertory authority to do that. however, in many cases, it is limited. so where that can be effective in some sectors, believes many out. but the important piece of legislation, if they're already going to do this with no incentive, why not actually try to build meaningful incentives, and that is liability protections, which we have said are clearly open to negotiation and to get them right. there is also a possibility that the president goes forward with an executive order that senator
10:17pm
lieberman may make the position to try to pass the remainder of the bill, which includes important information and other provisions. it is critical to making dhs an agency that can compete with nsa and other intelligence agencies remapped anything on executive order from the audience? then we will move onto the next panel. we just wanted to address some critical things. about the need for legislation if anyone has a question. >> one issue on the sharing that i believe the fundamental issue is we are not going to get anywhere unless the government and private sector sit down. the reason i say this is because there to parts of it. one is the regulatory and the
10:18pm
other is a critical user. because the government is itself a critical infrastructure. so there is a way that would be much more useful for us to be able to sit down, or you can have two-way conversations in the same way that we do in the industry. even on sensitive matters like this. if we could sit down as peers. therefore, when you sit down, you're not opening yourself to discovery of things and other types of things. have you ever considered that? because this is a real issue. we have to separate those rules to i would refer you to title vii in the bill. i think that is absolutely important. >> what is title vii? information sharing. that is why we protect those medications from disclosure.
10:19pm
whether it is under the program the dhs has or foya. where a company can send information, and if they don't, they are open to criminal intent criminal punishment. we want to make sure that none of that is used for regulatory enforcement. but it is not discoverable in litigation. that is the whole point come and i think we agree with you. >> okay, so just as a quick footnote, the bill has been under discussion for a little over three years. so all possible permutations have been put forward at one time or another. some of them prefer two or three times. where we are now is a minimal and acceptable, passable thing, and that would be probably some sort of conferencing of your title vii and it being in the
10:20pm
house. >> for those watching? >> is the information sharing and protection act or something like that. it's a good bill for information sharing. good stuff in your bill. >> how much do we need this kind of protection? we just keep hearing about it. how critical is this? >> that depends. two questions you'd ask yourself, which is how you feel about risk. if you like rest, were in a good place. risk tolerance, right? the second question, you need to ask yourself is how do you feel about sharing. and if you enjoy sharing your confidential information, then we are in a good place for that, too. [laughter]
10:21pm
>> it is pearl harbor or the titanic. the disaster of your choice. you're not going to see some big dramatic thing. >> is a way to minimize this? >> no, and minimize the sharing that you have to do? >> sharing is nice to have. i have never been as hung up on it. the controls that we are talking about, we could get people to adopt in a harmonized way, maybe the blocking of some attacks, the primary goal is to raise the level of network security across the board. and we would agree. one quick distinction between exercise and then also what happened, but these computers were taken off-line. >> can you explain that to those
10:22pm
who don't understand? >> it is upwards of 30,000 computers. the demonstration was completely wiped. from what we know, we were able to keep the damage restricted to at least network. in the scenario here, however, it was in the control system. make sure there are some protections. were there other means to prevent that from happening. in other words, returning a cyberattack into a physical attack. and that is something that i think jim was also talking about. we need to make sure for those minimal protections are in
10:23pm
place to okay, so the goal is a stronger defense for critical infrastructure. what else should we be doing? >> i think getting the companies to have a common level of knowledge, a vulnerability and potential response. here is a simple question that people could ask themselves. am i running windows 98? windows 98 is totally unsecure. so that is a lot of good examples of no-brainer questions. also, do i have automatic updates turned on. yes or no. if you don't have it turned out, you're going to have a problem. are you doing patches? do you know how many wireless devices connect to your network? do have some way to control when you plug in a thumb drive or some other device? this is not, in some ways, but the basic level you could take that would reduce a lot of this.
10:24pm
it is not rocket science. you need a password management program. do you accept collect calls from russia? [laughter] >> because that happens. this is a good example. this is like the classic cyberstory. springfield water supply system, i told people, remember that springfield is where homer simpson was. they get hacked,. >> is this a real story? >> yes. it turned out it wasn't hacked from it turns out that a contractor called in and he used his password to take control and call him from russia. this is sort of a no-brainer security measure. the correct answer to his accepting security causes no. there are simple things we can do that would make it better. >> does anyone else have a question?
10:25pm
>> i was happy to hear mr. lewis conclude with the idea of a digital pearl harbor. we have heard quite a bit recently, including from senator lieberman in "the new york times" about the overwhelming threat of that kind of attack compared to the more minimal lower-level stuff you are talking about now. i would appreciate hearing both of your thoughts about the likelihood of some kind of major attack and whether that is something we can look at or if our risk profile should be dealing with the things you're both talking about. >> most of the activity we see now is the low-level stuff. a lot of it is espionage and a lot of it is cybercrime. the number of countries in the world, we think there are about 12 that are developing capabilities, at least four of them don't like us. if we chose to use these weapons
10:26pm
come up we could be badly damaged. there is no reason for them to start with this. vladimir putin isn't going to say one day, i've had it with americans, launched cyberattack. but something happened. the worrisome part here, and this came out recently, a lot of them thought enron was pursuing capabilities. they have appeared to be willing to use some of their technique. albeit still basic against targets in the united states. so the issue is not is pearl harbor going to happen, it's is increasing in ways that we face a real problem. >> i also think those problems, there is some value in information sharing. once nowhere is detected, you
10:27pm
know, in real-time, automated, it is put into your system and that will help. but i think that jim is right. but look at what happened in saudi arabia. these are real physical consequences, and we are just -- you know, there is a need to be proactive. >> any other questions? >> david, and george washington university. the private sector and the public sector need work together. i was wondering what the legislation in the post lieberman collins world, with anything had changed? because we see that with some of the oil companies that liability protection has proprietary
10:28pm
information and we understand that they are more aware of what works. >> that is the perfect question. thank you. how about scenario change? >> i think of it in two major ways. one, dmitri talked about a lot of liability issues. the legislation will reduce those concerns. even if the company is negligent and they use these sharing models to share information, that information is not discoverable. if they are negligent, they will be sued. but not because they shared information with the government and partners. we want to facilitate that so people know they can take appropriate action. i would think that that would be
10:29pm
a major change. also, in terms of the liability issues, the companies had met these minimal standards, even if the attack is above them, they will be protected. they will be protected not to the extent that true claimants and people that are injured will be made whole, but they are going to be protected from punitive damages and, as i said, -- >> would with the system have been stronger? >> in this scenario, yes. the industrial control systems would be separated from your outpacing systems. we don't know but it is very possible that would've been prevented as well. >> were using? how would this have been different in the scenario? >> one way to think about it is three layers.
10:30pm
the critical infrastructure has to be a partnership between government and the private sector. how we have structured our partnership, apparently too hard for congress right now, maybe it will be fixed. we have to add a third layer, which is really about warfare is classed as espionage. not much of a rule for the private sector there. we haven't done a good job of distinguishing. the bill of health because it would have alleviated some of dmitri's concerns. it would've made them a little bit of a harder target, and it might've made it easier for them to share information. and it might've made it easier for government to the government to share information with them. those would've been in our favor in this scenario. we are not going to win became in one fell swoop, but we will keep trying. >> i'm going to ask steven bucci on our next panel to continue to talk about the legislation from
10:31pm
the private sector's point of view. this is a great time to talk with deeply about what is going on. thank you very much. thank you for having us. >> fantastic. okay, this is the final discussion of the day. we are going to build upon it. the point is building the defense and what more needs to be done. next to me i am delighted to introduce the chief information officer. it is a pleasure to have you here. next we have steven bucci and raphael mudge. he does a great job. he can go when, hacked the system with the idea of showing how it vulnerable it is, and people hire him to do just that. including the federal
10:32pm
government. and robert o'hara, who is a reporter at the "washington post", and has been writing some fantastic big important stories, and so, just to end this discussion, and then i want to ask him what is the best argument against that legislation. >> i think the legislation out there and what is now associated with it is a 19th century solution for 21st century problem. despite them saying it is all voluntary, it is still a regulatory-based system and regulations to slow. once you implement it, it is impossible to change it in the united states government. it is mired in that sort of 19th century look, and all going to do is create a culture of compliance. we need a different kind of bill. something that enables information sharing without mandating it.
10:33pm
>> tell us what that's like. and do you think we need something? >> we need something that for the market alone has not worked very well -- the threats are growing. we need some sort of cyberlegislation that there is a role for government in protecting our nation. >> will this past? >> i don't hope it will pass, this is what i think should be in it. we need something that enables information sharing that phenomenons as the information, protect the information that is shared from requests that ensured incher is the government of the other side of the street cheering, what which is not doing so well right now. we need to develop a cyberinsurance business so that the price of premiums will be that are secured. we need a grading system set by an independent organization on supply-chain security for cyberrelated things.
10:34pm
i can elaborate in the q&a. we need to continue to push cyberawareness and education. secretary napolitano had referred to that. we have not been anywhere near that, not even touching the problem there. we do need to build a cyberworkforce. the last one, is we have to establish the rules of the road for a cyberright to sell defense. dmitri brought that up. what companies do to protect themselves from the government, in their opinion come is not doing enough -- >> will be thinking about over there? >> well, we want to set some rules. we don't just want to leave it open-ended. that is the wild west and we do have cybervigilantes. we don't want that. but just leave it to us, we got it. that is not satisfying. >> it sounds a little scary. what do you think? >> which part of a? >> the private sector thinking
10:35pm
about the right to retaliate. >> the private sector has already started doing that. there's a whole network of private intelligence information sharing. there are people that work discreetly with the government. it is a global phenomenon. the idea that the previous panel said the intelligence needs to be left to the government, cyberintelligence is happening in the private sector. it is a globe global campaign. where there are transnational corporations, apparently there are the retrieving money to hold accountable the attackers. this stuff can evolve very quickly. the problem is we are already in a wild west scenario here.
10:36pm
things are very intense. the private sector has a lot more restrained and probably would like to have. there is, of course, where it does become part of companies going after companies. and so there is a problem with that. i am interested in some of the other things that he said as well. when the time comes. >> you are in the middle of this. some specifics about what is going on out there, let's talk about that. >> let's talk about cyberretaliation. it sounds scary, doesn't it? it's like, oh, my gosh, are they going to pick up a gun payment well, even though the words sound really scary, and the vocabulary is very dark, cyberretaliation is not all that
10:37pm
much. often times, these things have to be conducted from a massive system communicating to a bunch of subservient systems on the internet. and these developers often times it is possible the region and control those systems, just like the bad guy would and do something to shut it down. so with cyberretaliation, sometimes it is the system is weak. and they could stop hurting me. sometimes, even just such waste, i am not feeling the full want of it. the map. >> is to elaborate, what he's talking about in some cases are
10:38pm
things called botnets. the good guys can turn it into a thousand or a million computers that controlled by a commander control service. they are used to attack, and they can also be used as taken over are the good guys and turned and attacked in reverse to shut things down. that doesn't leave catastrophic consequences for the bridge or gas pipeline or whatever. and that has already been happening for several years. >> and can you just tell me about an interesting case. you are at west point, is that right? >> when my customers have this problem with software. >> okay. so you have a lot of interesting things? they want you, you know, you have a great ability to come in and show vulnerability? can you talk about a real case. were someone women and you should how to fix a?
10:39pm
>> so often times, we talk about penetration testing. my role would be to be that person to see how well the defense is working. and when it comes to this, it is not as easy as it always seems. sometimes what we need to do is spearfish. >> okay? sometimes you just don't know where you're going to end up. >> detractor launches something and one time i remember i took
10:40pm
over a separate enclave. everything is being scanned on the systems. so we have the opportunity even in a kerrville fashion. >> how can you use that information? >> ultimately, we talked a lot about cause-and-effect. it is basically espionage. basically what they want, they say they want your information. so basically, they can give it back to anyone who wants it. >> so part of spearfishing. how else are you hacking into
10:41pm
computers? >> spearfishing is a big one. and web applications. every organization in the world has these applications written by developers in varying levels of skills and experience. the great breeding ground for her abilities. spearfishing and web applications are the main ones. the old-school exploit against this, vendors have gone better. operating system vendors like microsoft have gotten better at putting mitigations into software to develop those kinds of things harder. even when they are vulnerable. >> let's go to nasa. nasa is a national treasure. you have to protect it, and how you doing it. and i want to hear about how you go into something to protect it.
10:42pm
>> okay, raphael mudge talked about a hypothetical situation. >> absolutely. >> absolutely not. >> one thing i would say your question is a challenge that it is even possible. i think protection is something that you constantly. the goal is to be always vigilant and always aware, the brazilian for when the attack happened, not if it happens. and i think that we have struggled with pressure on us. that we haven't done all that we can. in essence, it's not enough money in the world. there are not enough resources. we don't have enough resources in the world. we have to choose what to
10:43pm
protect based on higher risk. the most serious threat. we do have things like a multilayer defense and penetration protection. we have to cajole and convince and persuade black males, we have to bargain, it is a constant battle that i don't think that we ever do when. >> let's talk about that. so there are people that work for private companies. and how do you blackmail and? how do you convince them?
10:44pm
>> maybe blackmail was in a good word. i think penetration tests that we do ourselves show what it scenarios. we have beefed up our security training and what happens when you actually click. and we demonstrate that things can happen. so that when you do get in, when a hacker gets in, they can go too far. it has to be of containment. so when they get in, first, we have to try to prevent them from getting income and then we try to contain as much as they can to make sure that they are not able to hack the network as much as possible.
10:45pm
so with layers of defense. we can continually evolve what the threats are. when we find them, we address them. we are trying to be more forward leaning to hear about them before they get to us. to talk more to counterintelligence and intelligence organizations and with the joint cyberattacks, to get more advanced knowledge of what is coming so we can be more proactive. >> you hear this over here, a lot of contractors from a lot of interesting information, what would you like to go when and have? >> well, everyone wants to talk
10:46pm
about nasa because they want to talk about aliens, right? [laughter] to my grandfather thinks that there is. i keep telling him that maybe there are and maybe they aren't. >> i wasn't expecting this conversation. >> is there some kind of, you know, money that other people would like to have? to yes, let's say that i know if i break into nasa, of course, i'm speaking hypothetically, let's say there is an opportunity. maybe i know you're doing work with the private space industry and i can get information on it. at the beginning, i know i have an inkling that this is what i'm
10:47pm
after. but then i think some departments might be targeting them. >> so private accounts are working counts? >> it has to be working counts. >> okay. >> it with somebody else, i mean, if somebody is acting on their own outside of the law, then yes, they can go after people at home. absolutely. and it happens all the time. >> i would like to add in the private sector voice, to. >> this idea, is there anything in nasa that somebody wants -- absolutely. there is something in every organization that is represented here that somebody wants. even if it's just because they are connected nonprofit,
10:48pm
anything, they are not a potential target. so naïve as to be destructive to the system. they are looking for leverage and in some cases looking to mix content mischief like destruction. that is all out there. and we all have to understand that and begin to take steps to respond to it so that people like her have a shot at doing her job. we can do it at all this are being stupid and naïve.
10:49pm
>> that quickfix is leadership. it is taking the rules that you are to have and no new software and hardware just take the rules and regulations that you have and enforce them. just a quick story? okay. the air force had a base commander who forced his i.t. people to give him a one digit password for his classified system. it was he was too important to be slowed down by multiple issues. security wasn't important. leaders send a huge message, and we expect cios to do their jobs effectively, leaders above them, the ceo or commanders, they all have to buy the same rules as close guys in the system.
10:50pm
it's not like all you have to do is set the right example or master password, if you did all that, they're still going to be a challenge. the thing is, what is your biggest risk? if all you have to do is follow along those large risks, then, right, i think that an example, the passports are not the biggest ones. it is putting all my defenses, a lot of my defenses in that, because that is where the biggest bull abilities are. you talk about the assets that nasa has and how to protect them. one of our challenges is that we
10:51pm
have data. we want to do information sharing, we want to collaborate with universities and other agencies and other organizations and on the other have we have data that we don't want anybody to get. >> what you need to make nasa's information safe? what you want? >> oh, goodness. a lot of things. i would say -- first, to understand what our threats are. to really understand it. trying to piece it together, information can be spotty. >> so you want government or other contractors to be involved? >> personally, other contractors. because we interconnect with a
10:52pm
lot of aerospace contractors. sometimes their vulnerabilities become ours. they are not exactly forthcoming with sharing that information. as we connect to their systems, we end up connecting to their own abilities and there is no requirement for them to say anything. i would like to see more resources in the intelligence organization and homeland security. citizens who understand the threats that are going on, if they had more resources, they can help us faster. something like a supply-chain, i could go on forever. christmas is coming.
10:53pm
there is no easy answer for this. it is interesting that the things you have said are exactly what i have heard 10 years ago. when cybersecurity personally came onto the radar screen. to boil it down and oversimplify, it remains. let's have guidance and the private sector will step up. there has since been a revolution in the threat out there. the private sector could improve security and it hasn't come close according to all the reporting that i've done, not
10:54pm
even close, to the threats that are out there. the idea that he could fill the needs that nasa has on the quality code that is coming out on the quality of how the structures are built, according to most of the people that i talked to, they fall way short of the extraordinary threat the country faces. and probably the world. the world in general. so i wonder what you think of the dhs proposal. thinking about this as a public health problem. based on your earlier comments, that means that the government is there with a very big stick swatting down companies that don't do their part and so on.
10:55pm
but i wonder what you think about the public health model of cybersecurity where everyone is held accountable to doing their part. >> i think the public health model is a great idea. i have written about republic health model on a military security model. this is a metaphor for cybersecurity. the problem that you run into, even with public health, you know, there were not people out there who didn't cough into their elbow when the flu season came. that was an education thing. we made people aware. people took better steps to improve their personal security. they washed their hands more, but they didn't get fined if they didn't wash her hands. >> that they can be ordered to stay in their house and people can be ordered to lock down if they have a disease.
10:56pm
all that means is the bad guys have to get the fear. all we do is we set that standard, which i'm sorry, the government is not good at having dynamic standards, if you set that standard, all you have done is give the bad guys a target that they know they need to exceed even. >> what condition that irritate on the lieberman bill that failed to pass? >> heritage disagreed with the bill because of the regulatory foundation. >> the reason that i ask is that most of the people on one of these earlier panels, i think it's safe to say it is not quite laughably permissive, but about as wide a version of the bill as it can be. when you think about the idea?
10:57pm
it is too static. they say, okay, i'm in compliance, i may be good. but you are just as vulnerable as you were, because the bad guys know how to get around it. we need to have a bill that leverages the self-preservation instinct. not in laissez-faire, but enables people to do that information sharing, take the right steps without just a unique standard, and you're good to go. >> lets use pollution as the model. okay, almost everybody on some level recognizes pollution is a threat to the common good. to some degree or other, people have accommodated rules and regulations that i think
10:58pm
arguably, i don't know if they are properly imbalance, but they have made our rivers cleaner and so on. is there any application of any consequence for the companies that don't do their part? or should it be left to their well-being in their own self-interest to serve the common good? >> i think if you establish some of the things i have mentioned, actual insurance business standards were supply-chain security that has a grating attached to it, so that customers can make risk-based decisions, i think the consequences will come. because he won't sell anything or you were selling it for the government, for instance, unless you have a certain level of security. my concern is just allowing the government, particularly dhs -- the dhs is not really a regulatory organization. even then, their responsibility for coming up with a regulation and enforcing a regulation is a scary thing for cyberspace. [talking over each other]
10:59pm
>> i don't think the government is in a position to set those regulatory standards. they can move fast enough and agilely enough in our present system to that. [talking over each other] >> okay, what do you think -- what would be a good smart move for the government? >> this is getting above my experience. >> what would make your life more difficult? companies or the government, something we met. >> first off, i agree with what steven says. maybe we can set a minimum standard. what good is the minimum standard going to do. once i know what the game is and why have to get around, i raise my level of hacking skills to meet that.

Terms of Use (10 Mar 2001)